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Title 

A data transfer device, a transaction system and a method 
5 for exchanging control and I/O data with a data processing system. 

Field of the Invention 

The present invention relates, generally, to data communi cation 
10 and, more specifically, to a data transfer device, a transaction system, 
a method and an Application Specific Integrated Circuit (ASIC) device for 
exchanging data between remote processing devices. 

Background of the Invention 

15 

Data storage means, such as chip cards and other electronic data 
carriers have become increasingly popular for performing financial 
transactions, for purchasing merchandise, for banking, and other type of 
data transactions such as for identification and verification purposes. 

20 With the present possibilities for purchasing merchandising, paying 

bills and the like via the Internet, there is a growing need for 
completing such transactions using chip cards, credit cards, and the 
like. However, for this type of "virtual" shopping and banking, security 
of the transactions is a major problem. This, because a transaction via 

25 the Internet involves transmission of data via public, unsecured 
networks. 

U.S. Patent 5.815.577 discloses an encryption module comprising 
pre-programmed software resident within the module and configured to 
identify and accommodate a plurality of data input devices, such as 
30 scanners, magnetic strip readers, smart card readers, and the like. This 
module, due to its pre-programmed resident software, fulfills the 
function of trusted device, such that transactions which are performed 



+0031703404600 



04.JUL , 2001 11:38 ONTVANGEN VAN: +31402434557 



#0868- 



2 

through this module can be trusted as to their authenticity- However , 
this known module has some inherent disadvantages. 

Due to the need for pre-programmed software, the module is 
restricted to operate with data from a known type of chip card of a known 
5 transaction entity* such as a bank, for example. Those skilled in the art 
will appreciate that this, concept is not suitable for the handling of 
chip cards of transaction entities for which suitable processing software 
has not been previously incorporated in the module- For adding such 
software later on, one has to understood that hundreds or even thousands 

10 of such modules have to be updated manually in such a case. 

This is also true in the case of a change in the processing 
functions of known chip cards which are supported by the module and for 
which the already available software in the module has to be updated or 
even completely revised. 

15 Although it is theoretically feasible to configure the known module 

for the processing of different chip cards of different transaction 
entities among others, due to lack of co-operation and standardization 
between such transaction entities, in practice, each module operates with 
a single chip card or other data storage device of a single transaction 

20 entity. Accordingly, for each chip card or data storage device a 
different trusted device has to be installed and used, which leads to an 
uncomprehensive, impractical and not to manage transaction system. 

Although it is feasible to provide the trusted devices with a data 
receive or download facility, for example, for receiving or downloading 

25 suitable software for processing new chip cards, a problem arises in the 
case of transferring this software via common or public data networks, 
such as the Internet. This, because hackers and others may copy and 
change the software, such that the security of the trusted device and its 
proper operation in reading and/or writing data of a data storage device, 

30 such as a chip card, can no longer be guaranteed. 
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Summary of the Invention 

It is an object of the present invention to overcome the 
shortcomings of the prior art. 
5 In accordance with a first aspect of the present Invention* a data 

transfer device is provided, having first data interface means for 
exchanging data with a data processing system, second data interface 
means for exchanging data with a user of the data transfer device, and 
control means for controlling data transfer between the first and second 
10 data interface means, wherein the control means are configured for 
receiving control data from the first data interface means for 
selectively enabling data exchange between the first and second data 
interface means . 

Data exchange between the first and second data interface means can 
15 be provided, in a further embodiment of the data transfer device 
according to the invention, such that the control means are configured 
for enabling part of the second data interface means for operation in a 
first or open mode. 

In a yet further embodiment of the data transfer deceive according 
20 to the invention, the control means are configured for enabling the 
second data interface means for operation in a second or secure mode. 

In a preferred embodiment of the data transfer device according to 
the invention, signaling means are provided for signaling the mode of 
operation of the data transfer device, that is the open or secure mode. 
25 Suitable signaling means comprise a Light Emitting Diode (LED) configured 
such that the LED is illuminated if the data transfer device is in its 
secure mode of operation. 

By selectively enabling data exchange between the first and second 
data interface means of the data transfer device in accordance with the 
30 present invention, data can be exchanged in an open mode or a secure mode 
of operation of the data transfer device. In the open mode, the data 
transfer device is operative for exchanging data with a data processing 
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system not requiring a particular type of security. However, in the 
secure mode of operation, the data transfer device enables data exchange 
with a data processing system requiring a degree of security. 
Accordingly, with the data transfer device according to the invention, 
5 both secure and non-secure data exchange can be supported, providing 
already greatly enhanced data processing capabilities compared to the 
prior art devices as discussed above. 

The control means are configured, in a yet further embodiment of 
the invention, for processing data provided by the first and second data 
10 interface means in accordance with the control data. That is, in this 
embodiment of the invention, the control means comprise data processing 
capabilities. 

In a preferred embodiment of the data transfer device according to 
the invention, the control means are configured for processing data 

15 provided by the first and second data interface in accordance with 
program execution data to be executed by the data processing system, 
wherein the program execution data are comprised by the control data. 
That is, part of a program to be executed by the processing system is 
transferred to and performed by the data transfer device. By providing 

20 that the program execution data transferred to and running on the data 
transfer device are genuine or trusted data, data exchange between the 
first and second data Interface means of the data transfer device can be 
likewise performed in a safe end trusted or secure manner. 

In accordance with an embodiment of the invention, the program 

25 execution data are only executed by the data transfer device if same is 
set into its secure mode of operation. With this option, according the 
present Invention, a variety of data provided at the second or user data 
interface means of the data transfer device can be handled safely and in 
guaranteed manner by transferring the proper and secure control data to 

30 the control means of the data transfer device. 

In order to set the device safely and guaranteed in either the 
secure mode or the open mode, in accordance with a yet further embodiment 
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of the invention, the data transfer device comprises data storage means 
for storing authentication data., and wherein the control means are 
configured for providing an authentication check on the received control 
data for setting the data transfer device in either one of the open and 
5 secure mode of operation. 

Using control data comprising certificate data, and control data 
means configured for checking the certificate data of the control data 
with respect to certificate data stored in the data storage means, the 
data transfer device is set in its secure mode of operation if the 

10 certificate data of the control data are approved and the data transfer 
device is set in its open mode of operation for either one of disapproval 
of the certificate data and non-availability of certificate data of the 
control data, and wherein the control data are deleted if the certificate 
data thereof are false. 

15 In a preferred embodiment of the invention, the second data 

interface means comprise keypad means, data card reader means and display 
means, wherein the control means in the open mode are configured for 
enabling access to the data card reader means, and wherein the control 
means in the secure mode are configured for enabling access to the keypad 

20 means, the data card reader means and the display means. 

That is, the keypad means and the display means of the data 
transfer device are only active in the secure mode. Accordingly, the 
keypad means and the display means are arranged as "secure 19 or "trusted" 
devices, with which data can be exchanged and processed requiring a 

25 certain degree of security. In the open mode of operation, the keypad 
means and the display means are not enabled for data transfer. 

In a yet further embodiment of the invention, the second data 
interface means comprise Input/Output (I/O) means for data exchange with 
one or a plurality of peripheral device(s), such as, but not limited to, 

30 telecommunication devices like a so-called Voice over IP (VoIP) digital 
telephone device, a video processing device, a monitor, a printer, etc., 
wherein the I/O means are only enabled in the secure mode of the data 
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transfer device, that is the I/O means are arranged as "secure" or 
"trusted" via which data can be exchanged and processed requiring a 
certain degree of security. In the open mode of operation, the I/O means 
are disabled for data transfer. 

5 The data transfer device, in this embodiment of the invention, 

provides a type of miniature Trusted Computer Platform (TCP) for 
performing trusted data exchange, among others providing an effective 
virus defense, because the data transfer device will only execute program 
data if the device is set to its secure mode of operation. 

10 With the implementation of an authentication check, the data 

transfer device according to the invention can be easily arranged for 
supporting data transfer form a plurality of chip cards or other data 
storage devices, for example, in both the open or secure mode of 
operation, thereby providing a flexible device suitable for processing 

15 data of a plurality of chip cards and the like. 

By configuring the data transfer device, in a still further 
embodiment of the invention, for processing data provided by the card 
reader in accordance with the control data received, data exchange in 
accordance with a plurality of functions supported by a chip card can be 

20 provided. 

In order to enhance the security of the data transfer between the 
data transfer device and a data processing system, in a yet further 
embodiment of the invention, the data transfer device comprises means for 
supporting encrypted data transfer via the first interface means and the 
25 data processing system, thereby making the data exchange unreadable 
without a proper decryption algorithm and/or password. 

A further improvement of the security of the data transfer device 
is provided in a further embodiment thereof, wherein the control means 
are configured for erasing the control data after each transaction or 
30 after a predetermined time period upon completion of a transaction, for 
exampl e . 
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The first data interface means may comprise any standardized 
computer data interface means, such as USB (Universal Standard Bus) 
interface means, RS 232 interface means which are known to those skilled 
in the art, and others* 

5 In accordance with a second aspect of the present invention, a 

transaction system is provided, comprising a first processing device such 
as to be operated by an authorization entity, a second processing device 
such as to be operated by a user, and a data transfer device in 
accordance with any of the previous claims, wherein the first and second 

10 processing devices connect to a data network, and wherein the data 
transfer device with its first interface means connects to the second 
processing device, characterized in that the first and second processing 
devices are configured for exchanging control data from the first 
processing to the data transfer device for selectively enabling the 

15 second data interface means of the data transfer device. 

In the transaction system according to the invention, transaction 
data between the first and second processing devices are exchanged 
through the data transfer device of the present invention, which is 
either set in its open or its secure mode of operation through suitable 

20 control data received by the data transfer device. 

In the case of a transaction involving the exchange of secure 
financial data or other trusted data between the first and second 
processing devices, such as identity data for retrieving telephone 
services, video services, or other corrcnuni cation type services, for 

25 example, in accordance with a further embodiment of the system following 
the invention, the first processing means are configured for providing 
control data for setting the data transfer device in a secure mode and 
the first and second processing devices and/or the I/O means are 
configured for enabling a transaction after the control data have been 

30 exchanged. 

In a yet further embodiment the transaction system comprises a 
third processing device such as to be operated by a transaction entity, 
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wherein the third processing device connects to the data network, and 
wherein the first processing device is configured for enabling a 
transaction between the second and third processing devices dependent on 
the enabling of the second interface means of the data transfer device. 
5 That is* suppose a user would like to order merchandise from a 

store, either a real a store or a virtual store, comprising the third 
processing means ♦ In order that this transaction will be enabled, the 
merchandise has to be paid, for which financial data have to be exchanged 
between the user and a financial entity, such as a bank, comprising the 

10 first processing means. 

Suppose that the user wishes to pay by using a credit account 
receding at the financial entity, appropriate financial data have to be 
exchanged between the user and the financial entity. If the user would 
like to use a credit card or a chip card or the like, the data transfer 

15 device has to be set in a secure mode, operative for processing the data 
of the particular card. The financial entity, from its first processing 
device, provides suitable control data to the data transfer device via 
the second processing device to which the data transfer device connects. 
Once in its secure mode, data between the first and second processing 

20 devices can be securely exchanged. After the completion of this exchange, 
the merchandise selling entity will be informed, such that the 
transaction between the second and third processing devices can be 
enabled and completed. 

In a further application example, using the I/O means of the data 

25 transfer device for retrieving telecommunication services from a 
telephone operator or an Internet service provider, for example, 
operating a third processing device, for identifying a user by a chip 
card or the like, the data transfer device has to be set in its secure 
mode. Upon request from the user, an authorization host or clearing 

30 house, for example, operating first processing means, provides suitable 
control data to the data transfer device via the second processing device 
to which the data transfer device connects. Once in its secure mode, data 
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between the first and second processing devices can be securely 
exchanged. After the completion of this exchange, the telephone operator 
or Internet service provider will be informed, such that the data 
transaction between the second and third processing devices and/or 
5 between the I/O means and the third processing device can be enabled and 
compl eted • 

Those skilled in the art will appreciate that the transaction 
system according to the invention is not limited to the exchange of 
financial data, communication or other multi-media data, or the purchase 
10 of merchandise and telecommunication or Internet services or the like* In 
fact, the transaction system according to the invention can be used for 
any type of transaction wherein the data transfer device operates in 
either one of its open or secure mode. 

In a third aspect of the invention, a method for exchanging data 
15 with a data processing system is provided using a data transfer device 
having first data interface means for exchanging data with the data 
processing system, second data interface means for exchanging data with a 
user of the data transfer device and control means for controlling data 
transfer between the first and second data interface means, which method 
20 comprises the steps of: 

- transferring control data from the data processing system to the 
data transfer device, and 

• selectively enabling data transfer between the first and second 
data interface means of the data transfer device dependent on the control 
25 data received. 

In a yet further embodiment of the method according to the 
invention an authentication check is performed on the received control 
data for setting the data transfer device in its open or secure mode of 
operation. 

3 0 For this purpose, according to the invention, the control data 

comprise certificate data, wherein the control data are checked by the 
control means with respect to the certificate data, and wherein the data 
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transfer device is set in its secure mode of operation if the certificate 
data of the control data are approved and the data transfer device is set 
in its open mode of operation for either one of disapproval of the 
certificate data and non-availability of certificate data of the control 
5 data, and wherein the control data are deleted if the certificate data 
thereof are false * 

In the open mode, the data transfer device can be arranged for 
exchanging data with the user via the second data interface means through 
a limited number of data input means, such as data card reader means, 

10 whereas in the secure mode data exchange with a plurality of data 
exchange devices connected to the data transfer device is enabled, 
including keypad means, card reader means, display means, and the I/O 
means, for example. 

In the secure mode, data provided by the first and second data 

15 processing means are processed in accordance with program execution data 
of a program executed by the data processing system, which program 
execution data being comprised by the control data. In the embodiment of 
the invention comprising the I/O means, the I/O means are enabled and 
disabled under control of the program execution data. That is, if the 

20 program data relates to a VoIP service, for example, the microphone and 
loudspeaker means of a VoIP device connected to the I/O means will be 
switched on and off under control of the VoIP program execution data 
operative in the data transfer device. 

In a yet further embodiment of the invention, the program execution 

Z5 data are operative in the data transfer device while a data card 
operatively connects to the card reader means. 

In order to enhance the security during exchange of data between 
the data processing system and the data transfer device, in a further 
embodiment of the method according to the invention, the data are 

30 transferred in an encrypted form. 

Maximum security is obtained by erasing the control data in the 
data transfer device after the completion of a data exchange. 
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The invention relates also to an Application Specific Integrated 
Circuit (ASIC) device comprising data exchange means and control means 
for selectively enabling data exchange between first and second data 
interface means based on control data, in accordance with the invention 

5 as disclosed above. 

In a yet further embodiment of the invention, the ASIC device 
further comprises at least one of the first and second data interface 
means, and/or data processing means for processing data provided by the 
first and second data interface means in accordance with program 

10 execution data provided by the control data* The ASIC device further may 
comprise data storage means, among others for storing the control data, 
the program execution data and authentication data. 

The above-mentioned and other features and advantages of the 
invention are illustrated in the following description with reference tot 

15 the enclosed drawings. 

Brief Description of the Drawings 

Figure 1 shows, in a schematic and illustrative manner, a block 
20 diagram of a first embodiment of a data transfer device in accordance 
with the present invention, connected to a processing device, such as a 
Personal Computer (PC). 

Figure 2 shows, in a schematic and illustrative manner, a 
transaction system in accordance with the present invention. 
25 Figure 3 illustrates in a schematic manner a method of operation in 

accordance with the present invention. 

Figure 4 shows, in a schematic and illustrative manner, a block 
diagram of a second embodiment of a data transfer device in accordance 
with the present invention, connected to a processing device, such as a 
30 Personal Computer (PC). 

Figure 5 shows, in a schematic and Illustrative manner, another 
transaction system in accordance with the present invention. 
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Description of the Embodiments 

Without the intention of limitation, the invention will now be 
5 explained by its application with a data transfer device comprising a 
limited number of user data input and output means. 

In figure 1, reference numeral 10 refers to a data transfer device 
in accordance with the present invention. The data transfer device 10 
connects to a Personal Computer (PC) 30 by a standard Universal Serial 
10 Bus (USB) or RS 232 data link 50, for example* 

The data transfer device 10 comprises first data interface means 11 
and second data interface means 12 including keypad means 13, display 
means 14 and data card reader means 15, such as chip card 48 or magnetic 
strip card reader means. Those skilled in the art will appreciate that 
15 the second data interface means 12 may comprise other well known data 
input and data output means. 

Data transfer between the first and second data interface means 11, 
12 is controlled by control means 20 which * for clarity purposes, have 
been shown in the form of switching means. 
20 In a first or open mode position 21 of the control means 20, data 

transfer between the first and second data interface means 11, 12 is 
handled under the control of so-called Unsecured Function Extension (UFE) 
means 24. In a second or secure mode position 22 data transfer between 
the first and second data interfaces 11, 12 is controlled by so-called 
25 Secure Function Extension (SFE) means 25. The UFE and SFE means 24, 25 
are arranged for processing program execution data. 

In the open mode, through the UFE means 24, the card reader part 15 
of the second data interface means 12 is enabled for the exchange of data 
with the first data interface means 11. Such as indicated by reference 
30 numeral 26. 

In the secure mode, the SFE means 25 are configured for enabling 
data exchange from any of the second data interface means 12, i.e. the 
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keypad means 13, the display means 14 and the card reader means 15, This, 
as indicated by reference numerals 27, 28 and 29, respectively. 

Reference numeral 23 denotes a Light Emitting Diode (LED) for 
indicating the mode of the data transfer device 10. In the preferred 
5 embodiment, the LED 23 is illuminated if the device 10 is in its secure 
mode. Those skilled in the art will appreciate that signaling means other 
than a LED may be used for this purpose, for example the display means 
14. 

The. data transfer device 10 further comprises data storage means 

10 16, 17 and 18. In use, the storage means 16 comprise so-called security 
library program data, among others comprising authentication or 
certification data for use with the SFE means Z5. The storage means 17 
comprise user I/O library program data, configured for controlling the 
Input/Output (I/O) with the keypad means 13 and display means 14 of the 

15 second data interface means 12. The storage means 18 comprise data 
configured for controlling the card reader means 15 of the second data 
interface means 12. Part of the library data may be provided in a non- 
volatile memory, such as an EEPROM (Electrically Erasable Programmable 
Read Only Memory) ig. This data may be used for checking public 

20 encryption keys on certificate data, for example. 

The PC 30 can be a conventional Personal Computer or any other 
processor controlled device, comprising data interface means 31 for 
exchanging data with the first data interface means 11 of the data 
transfer device 10, such as USB or RS 232 data interface means 31. 

25 Further, the PC 30 comprises data storage means 32 for storing data, an 

Application Programming Interface (API) 33 which operates with browser 

software 34, and application software 35, such as the well-known Java 
software. 

The PC 30 further comprises keyboard means 36, mouse means 37, 
30 display or monitor means 38, data input means such as a CDROM interface 
with the Internet* 
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The UFE and SFE means 24, 25 are configured for executing program 
data in conjunction with the application software 35 of the PC 30. That 
is> the UFE and SFE means functions either as an unsecure extension or a 
secure extension of the software 35 to be executed in the data transfer 
5 device 10. 

As schematically indicated, through the data network interface 40 
application data are exchanged with an application 60 running on a remote 
processing device (not shown). 

For clarity purposes, the data link 50 comprises a control part 51, 
10 a download part 52 and an application part 53. 

The control part 51 provides overall control of the data exchange 
between the data transfer device 10 and the PC 30. The download part 52 
is arranged for downloading data into the data transfer device 10 from 
the PC 30. The application part 53 is operative for controlling the UFE 
15 means 24 and the SFE means 25 of the data transfer device 10. 

Figure 2 illustrates, in a schematic manner F a typical transaction 
system according to the present invention. 

The data transfer device 10 with its keypad means 13, display means 
14, card reader means 15 and signaling means 23 connects via its first 
20 interface means 11 and the data link 50 to a processing device such as PC 
30, to be operated by a user of the transaction system. 

As illustratively indicated, the PC 30 connects via an Interface 40 
and a modem or other suitable data link connection device 41 to a data 
network such as the Internet 49. 
25 Further a, transaction entity having a processing device 42 

connects to the Internet 49, for example a grocery shop either a real or 
a virtual shop, for selling merchandise or goods 43. 

An authorization or authentication entity having a processing 
device 44, such as a bank or clearing house, likewise connects to the 
30 Internet 49. 

For the sake of clarity, in the following description, it is 
assumed that data between the processing devices 30, 42 and 44 are 
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exchanged via known and/or standardized coiranuni cation protocols, which 
are well known to those skilled in the art, such that no further 
description thereof has to be provided here* 

With reference to Figure 3, it is now assumed that a user of the PC 
5 30 and the data transfer device 10 intends to purchase merchandise 43 of 
the shop via its processing device 42- 

General 1y, once the user of the PC 30 has made his choice as to the 
merchandise 43 to be purchased, a financial transaction has to be 
performed using a credit card 48. associated with an account 45 at the 
10 bank or authorization entity having the processing device 44. 

To this end* the user of the PC 30 contacts the processing device 
44 in order to have the financial transaction enabled* As a first input, 
the user of the PC 30 indicates the type of credit card he intends to use 
for completing the financial transaction* It will be understood that the 
15 type of credit card to be used can be prescribed by the processing device 
42 of the shop selling the merchandise 43. 

Because of the secure nature of the financial transaction, the 
processing device 44 of the authorization entity transmits certified SF£ 
program execution data 46 to the transfer device 10 via the Internet 49. 
20 Upon receipt of this SFE program execution data 46. the SFE control, means 
25 check whether this SFE data 46 are certified data* which can be safely 
loaded into the SFE means 25. 

In the affirmative, the control means 20 of the transfer device 10 
operate in order to set the transfer device 10 in its secure mode. 
25 enabling the keypad means 13, the display means 14 and the card reader 
means 15, while at the same time the LED 23 is illuminated. The 
certification or authentication check is provided through the security 
program library 16 of the data transfer device 10* 

If the authentication check fails, due to disapproval of the 
30 certificate data or if no certificate data are available at all. the data 
transfer device is set in its open mode of operation. The control data, 
i.e. the program execution data received in the data transfer device 10 
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are deleted if the certificate data are false. In the latter case, no 
data exchange via the second data interface means 12 of the data transfer 
device 10 is permitted. 

Once in its secure mode, data exchange via the transfer device 10. 
i.e. its keypad 13, the display means 14 and the card reader means 15 can 
be regarded as trusted data, such that transactions Involving the account 
45 at the processing device 44 of the hank or authorization entity can be 
safely amended. For example, a money transfer from the account 45 of the 
user to the account of the entity selling the merchandise 43* 

The program execution data loaded into the SFE means 25 provide the 
interaction with and the processing of the data exchange via the card 
reader means 15. That is, data form the card 48 are processed by the SFE 
means 25 in accordance with the program execution data loaded through the 
second data interface means 12 and the control means 20 of the data 
transfer device 10. In this manner an entity providing a data card can be 
sure that the card is treated in accordance with pre-defined steps and 
procedures, approved by this entity. 

Once the transaction has been completed, the secure data exchange 
via the data transfer device 10 can be dosed, while the processing 
device 44 of the authorization entity can inform the processing device 42 
of the vendor of the merchandise 43 of the successful completion of the 
transaction. Accordingly, the merchandise 43 can be delivered with the 
user. 

Dependent on the type of application 60, 1d. purchasing 
merchandising, purchasing services, banking or other transactions, 
different SFE data 46 can be exchanged with the data transfer device 10, 
providing a flexible as possible transaction system. It is noted that the 
SFE program execution data 46, also called 'Smartlets' may comprise data 
for processing the data from the keypad means 13 and/or the card reader 
means 15 in accordance with a particular data processing function. This * 
data processing function may also be contained in the data on the chip 
card 48. 
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In those cases wherein no secure transaction has to be performed, 
the processing device 44 will transmit UFE program or control data* 
setting the data transfer device 10 in its open mode. In this mode, the 
device 10 is configured for exchanging data from the chip card 48 only 
5 and in accordance with an open, standard transaction procedure ♦ 

Accordingly, with the transaction system of the present invention, 
multiple data cards or chip cards can be processed in either a secure or 
an open mode of operation, there by providing a flexible data transfer 
system. 

10 Further, the transaction system in accordance with the invention is 

both suitable for use at home and/or in shops or the like, for handling 
secure and/or open data transactions with a plurality of data storage 
devices, not limited to chip cards, magnetic strip cards and the Hke. 

In order to enhance the security of the data transaction, after 

15 completion thereof the program data 46 or 1 Smart! ets' can be erased in 
the data transfer device 10, for example with the withdrawal of the chip 
card 48. This, in order to avoid that the control data can be extracted 
from the data transfer device 10. Further, the secure transactions and, 
of course, also the open transactions, can be performed using any type of 

20 encryption of the data exchange between the several processing devices 
30, 42 and 44, 

Figure 4 shows a further embodiment of a data transfer device 70 
according to the present invention, wherein the SFE means 25 are provided 
with generic Input/Output (I/O) means 71 for the connection of peripheral 
25 devices 72, such as, but not limited to telecommunication devices like 
Voice over IP (VoIP) digital telephones, video and audio processing 
means, multimedia devices, etc. 

The I/O means 71 may comprise one or a plurality of connectors, 
preferably connectors of a known or standardized type for the connection 
30 of a suitable peripheral device. 

The data transfer device 70 is arranged such that, only while in 
its secure mode, data exchange via the I/O means 71 is enabled. 
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Accordingly, in the secure mode of the data transfer device data exchange 
via the I/O means 71 is provided in a safe and trusted manner. 

The data transfer device 70 operates as a miniature Trusted 
Computer Platform (TCP), for performing trusted data exchange. Because 
5 the data transfer device 70 will only execute program data if the device 
is in its secure mode of operation, an effective virus defense platform 
is provided, for example. 

A typical application example of the data transfer device 70 for 
enabling telecommunication services, in particular VoIP services, will 
10 now be discussed below with reference to Figure 5. 

The data transfer device 70 with its I/O means 71, keypad means 13, 
display means 14, card reader means 15 and signaling means 23 connects 
via its first interface means 11 and a data link 50 to a processing 
device such as a PC 30, to be operated by a user of the telecommuni cation 
15 services. 

As illustratively indicated, the PC 30 connects via an interface 40 
and a modem or other suitable data link connection device 41 to a data 
network, such as the Internet 49. 

Further, a transaction entity operating a processing device 73 
20 connects to the Internet 49, such as a telecommunication service provider 
or operator providing VoIP services over the Internet 49. 

An authorization or authentication entity having a processing 
device 74, such as a clearing house, likewise connects to the Internet 
49. In the example shown, the authorization or authentication entity 74 
25 and the transaction entity 73 may be combined into a single entity 
providing both functions- However, for clarity purposes, in the remainder 
it is assumed that both entities are separated. 

With reference to Figure 5, it is now assumed that a user of the PC 
30 and the data transfer device 70 intends to set up a VoIP 
30 telecommunication connection via the I/O means 71 using VoIP 
telecommunication means 75 connected to the I/O means 71. 
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Although the example deals with VoIP, it will be appreciated that 
the telecommunication service provider may provide a plurality of 
services to a user, which can be displayed at the PC 30. Non-limiting 
examples of such services are VoIP, facsimile, voice response control, 
5 remote calling in, personal address book, etc. 

General ly, once the user of the PC 30 has made his choice as to the 
services to be retrieved, an identification transaction has to be 
performed using a chip card 48, for example, associated with an 
identification account 76 at the authorization entity having the 
10 processing device 74. 

To this end, the user of the PC 30 contacts the processing device 
74 in order to have the identification transaction enabled. As a first 
input, the user of the PC 30 indicates the type of chip card 48 he 
intends to use for completing the identification transaction. It will be 
15 understood that the type of chip card 48 to be used can be prescribed by 
the processing device 42 of the telecommunication service provider. 

Because of the secure nature of the identification transaction, the 
processing device 74 of the authorization entity transmits certified SFE 
program execution data 46 to the data transfer device 70 via the Internet 
20 49. Upon receipt of this SFE program execution data 46, the SFE control . 
means 25 check whether this SFE data 46 are certified data, which can be 
safely loaded into the SFE means 25. 

In the affirmative, the control means 20 of the data transfer 
device 70 operate in order to set the data transfer device 70 in its 
25 secure mode, enabling the keypad means 13, the display means 14, the card 
reader means 15 and the 1/0 means 71 > while at the same time the LEO 23 
is illuminated. The identification or authentication check is provided 
through the security program library 16 of the data transfer device 70. 

If the authentication check fails, due to disapproval of the 
30 certificate data or if no certificate data are available at all, the data 
transfer device 70 is set in its open mode of operation. The control 
data, i.e. the program execution data received in the data transfer 
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device 70 are deleted if these certificate data are false ♦ In the latter 
case, no data exchange via the second data interface means 12 of the data 
transfer device 10 is permitted* 

Once in its secure mode, data exchange via the transfer device 70. 
5 i.e. its keypad 13, the display means 14, the card reader means 15 and 
the I/O means 71 can be regarded as trusted data, such that transactions 
involving the Identified user 30 can be safely provided. 

Once the identification transaction has been completed, the secure 
data exchange via the I/O means 71 of the data transfer device 70 can be 

10 enabled, in that the processing device 74 of the authorization entity can 
inform the processing device 73 of the telecommunication provider of the 
successful completion of the identification transaction. Accordingly, the 
services can be provided. That is, the telecommunication service provider 
may provide the requested service(s) to the user 30, such as VoIP. 

15 The I/O means 71 are enabled if the SFE program execution data 46 

are put into action, that is executed. The executable part of the SFE 
data 46 controls the I/O means 71. After having successfully performed 
the security step, the I/O means 71 can be enabled and/or disabled by the 
SFE software. In the case of SFE program data relating to VoIP, the 

20 peripheral devices, such as a microphone and loudspeaker connected to the 
I/O means 71 will be put into operation once the VoIP link has been 
established. Likewise, the I/O means will be disabled by the SFE VoIP 
program data once the VoIP link has been terminated. 

Further, the SFE program execution data can be arranged such that, 

25 while the chip card 48 is inserted or connected to the chip card reader 
means 15 of the data transfer device 70, the SFE program execution data 
will be available and/or active in the data transfer device 70* Removing 
the chip card 48, for example at the completion of the service provision, 
i.e. if the user 30 terminates a VoIP call, the I/O means 71 will be 

30 disabled by the disabling of the respective SFE program data. It has to 
be understood that the I/O means 71 of the data transfer device 70 are 
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solely controlled under the responsibility of the respective SFE program 
execution data loaded into the data transfer device 70* 

It will be appreciated that the identification procedure disclosed 
above in connection with the retrieval of telecommunication services* for 
5 example, may also involve debiting of a bank account or other money 
relating account for payment of the services provided, for example. Such 
as disclosed above in connection with the purchase of goods* 

That is. together with or in a similar operation as the above 
disclosed identification transaction, a financial transaction involving a 

10 financial account 45 (e.g. a payment transaction) with a bank 44 or a 
clearing house 74 may be initiated for enabling the I/O means 71. 

It will be appreciated that, instead of telecommunication services , 
other services may be provided to a user via the 1/0 means 71, among 
others multi media type services* 

15 Al though the transaction system and method according to the 

invention have been disclosed by reference to its use via the Internet 
49, those skilled in the art will appreciate that any other data network 
for the transfer of data can be used, such as the Public Switched 
Telephone Network (PSTN), the Integrated Services Digital Network (ISDN), 

20 a Cable TeleVison (CaTV) network and the like, or even a direct link with 
the processing devices 42 and/or 44. 

The invention further relates to an Application Specific Integrated 
Circuit (ASIC) device comprising any or a selection of the control means 
20, the SFE and UFE means 24, 25, the storage means 16, 17, 18 and the 

25 data interface means 11. Such an ASIC provides enhanced security to the 
data transfer device 10 as a whole. 

Various modifications in the design and implementation of the 
various components and method steps discussed above may be made without 
departing from the spirit and scope of the invention, as set forth in the 

30 appended claims. 
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22 
Claims 

1* A data transfer device , having first data interface means 

for exchanging data with a data processing system, second data interface 
5 means for exchanging data with a user of said data transfer device, and 
control means for controlling data transfer between said first and second 
data interface means , characterized in that said control means are 
configured for receiving control data from said first data interface 
means for selectively enabling data exchange between said first and 
10 second data interface means, 

2. A data transfer device according to claim 1 # wherein said 
control means are configured for processing data provided by said first 
and second data interface means in accordance with said control data* 

3. A data transfer device according to claim 2, wherein said 
15 control means are configured for processing data provided by said first 

and second data interface in accordance with program execution data to be 
executed by said data processing system, wherein said program execution 
data are comprised by said control data* 

4. A data transfer device according to claim 1, 2 or 3, 
20 wherein said control means are configured for enabling part of said first 

and second data interface means for operation in a first or open mode. 
5* A data transfer device according to claim 1, 2 or 3, 

wherein said control means are configured for enabling said second data 
interface means for operation in a second or secure mode. 

25 6, A data transfer device according to claim 5, wherein said 

control means are configured for executing said program data if said data 
transfer device is set in its secure mode of operation. 
7* A data transfer device according to claim 2, 3, 4, 5 or 6, 

further comprising data storage means for storing authentication data, 

30 and wherein said control means are configured for providing an 
authentication check on said received control data for setting said data 
transfer device in either one of said open and secure mode of operation. 
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8. A data transfer device according to claim 7, wherein said 
control data comprise certificate data, and wherein said control data 
means are configured for checking said certificate data of said control 
data with respect to certificate data stored in said data storage means, 

5 for setting said data transfer device in its secure mode of operation if 
said certificate data of said control data are approved and for setting 
said data transfer device in its open mode of operation for either one of 
disapproval of said certificate data and non-avail abil 1ty of certificate 
data of said control data, and for deleting said control data if said 
10 certificate data thereof are false. 

9. A data transfer device according to claim 4, 5. 6, 7 or 8, 
wherein said second data interface comprises keypad means > data card 
reader means and display means, wherein said control means in said open 
mode are configured for enabling access to said data card reader means, 

15 and wherein said control means in said secure mode are configured for 
enabling access to said keypad means, data card reader means and display 
means. 

10. A data transfer device according to claim 9, wherein said 
control means are configured for processing data provided by said card 

20 reader in accordance with said control data received. 

11. A data transfer device according to claim 4, 5* 6, 7. 8, 9 
or 10, wherein said second data interface comprises Input/Output (I/O) 
means for data exchange with at least one peripheral device to be 
connected to said I/O means, and wherein said control means in said 

25 secure mode are configured for enabling access to said I/O means by said 
at least one peripheral device. 

12. A data transfer device according to claim 11 * wherein said 
I/O means are configured for connecting at least one data communication 
device* 

30 13. A data transfer device according to claim 12, wherein said 

data communication device is a Voice over IP (VoIP) digital telephone 
device. 
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14. A data transfer device according to any of the claims 4, 5, 
6, 7, 8, 9, 10, 11 or 12, further comprising signaling means for 
signaling said mode of operation of said data transfer device. 

15. A data transfer device according to claim 14, wherein said 
5 signaling means comprise a Light Emitting Diode (LED) , and wherein said 

control means are arranged for illuminating said LED if said data 
transfer device is in its secure mode of operation. 

16. A data transfer device according to any of the previous 
claims, further comprising means for supporting encrypted data transfer 

10 via said first interface means. 

17. A data transfer device according to any of the previous 
claims, wherein said first data interface means comprise standardized 
computer data Interface means, such as USB (Universal Serial Bus) 
interface means. 

15 18. A transaction system, comprising a first processing device 

such as to be operated by an authorization entity, a second processing 
device such as to be operated by a user, and a data transfer device in 
accordance with any of the previous claims, wherein said first and second 
processing devices connect to a data network, and wherein said data 

20 transfer device with its first interface means connects to said second 
processing device, characterized in that said first and second processing 
devices are configured for exchanging control data from said first 
processing to said data transfer device for selectively enabling said 
second data interface means of said data transfer device, 

25 ig. A transaction system according to claim 18, wherein said 

transaction involves exchange of trusted data, wherein said first 
processing device is configured for providing control data for setting 
said data transfer device in a secure mode. 

20. A transaction system, according to claim 18 or 19, 

30 comprising a third processing device such as to be operated by a 
transaction entity, wherein said third processing device connects to said 
data network, and wherein said first processing device is configured for 
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enabling a transaction between said second and third processing devices 
dependent on said enabling of said second interface means of said data 
transfer device. 

21. A transaction system according to claim 20, wherein said 
5 transaction between said second and third processing devices involves 

exchange of trusted data between said first and second processing 
devices* wherein said first processing device is configured for providing 
control data for setting said data transfer device in a secure mode and 
wherein said third processing device is configured for enabling said 
10 transaction between said second and third processing devices after said 
trusted data have been successfully exchanged. 

22. A transaction system according to claim 20, wherein said 
transaction between said second and third processing devices involves 
exchange of trusted data between said first and second processing 

15 devices* wherein said first processing device is configured for providing 
control data for setting said data transfer device in a secure mode and 
wherein said third processing device is configured for enabling a 
transaction between said I/O means and said third processing device after 
said trusted data have been successfully exchanged. 

20 23. A transaction system according to claim 22* wherein^ said 

transaction entity is a telecommunication service provider. 
24. A transaction system according to claim 20* 21, 22 or 23* 

comprising a plurality of first* second and third processing devices* 
wherein said data network is a public data network, such as the Internet. 

25 25* A first processing device configured for operating in 

accordance with any of the claims 17* 18, 19, 20* 21* 22* 23 or 24. 

26. A second processing device configured for operating in 
accordance with any of the claims 17* IB, 19, 20, 21* 22* 23 or 24. 

27. A third processing device configured for operating in 
30 accordance with any of the claims 17, 18, 19, 20, 21, 22, 23 or 24. 

28. A method of exchanging data with a data processing system 
using a data transfer device having first data interface means for 
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exchanging data with said data processing system, second data interface 
means for exchanging data with a user of said data transfer device, and 
control means for controlling data transfer between said first and second 
data interface means, characterized by the steps of: 
5 - transferring control data from said data processing system to 

said data transfer device, and 

- selectively enabling data exchange of data between said first and 
second data interface means* 

29. A method according to claim 28 f wherein an authentication 
10 check is performed by said control means on said control data for setting 

the data transfer device in either one of an open and secure mode of 
operation. 

30. A method according to claim 29, wherein said control data 
comprise certificate data, wherein said control data are checked by said 

15 control means with respect to said certificate data, and wherein said 
data transfer device is set in its secure mode of operation if said 
certificate data of said control data are approved and said data transfer 
device is set in its open mode of operation for either one of disapproval 
of said certificate data and non-availability of certificate data of said 

20 control data, and wherein said control data are deleted if said 
certificate data thereof are false. 

31 . a method according to claim 30, wherein said data transfer 
device in its open mode of operation exchanges data with said second data 
interface means through a limited number of data input means thereof, 

25 such as a data card reader means, whereas the data transfer device in its 
secure mode of operation exchanges data with said second data interface 
means through a plurality of data input and output devices thereof, 
including keypad means > display means, card reader means, and 
Input/Output (I/O) means for data exchange with at least one peripheral 

30 device to be connected to said 1/0 means. 

32. A method according to claim 28, 29, 30 or 31, wherein data 
provided by said first and second data processing means is processed in 
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accordance with program execution data of a program executed by said data 
processing system, said program execution data being comprised by said 
control data, 

33. A method according to claim 32, wherein said I/O means are 
5 enabled and disabled under control of said program execution data. 

34. A method according to claim 33, wherein said program 
execution data are operative in said data transfer device while a data 
card operatively connects to said card reader means. 

35. A method according to claim 28, 29, 30, 31, 32, 33 and 34, 
10 wherein data between said data processing system and said data transfer 

device are exchanged in an encrypted form, 

36. A method according to claim, 28, 29, 30, 31, 32, 33, 34 and 
35 wherein control data in said data transfer device are erased after the 
completion of a data exchange. 

15 37. An Application Specific Integrated Circuit (ASIC) device 

comprising data exchange means and control means for selectively enabling 
data exchange between first and second data interface means based on 
control data in accordance with any of the previous claims. 

38. An ASIC device according to claim 37, further comprising at 
20 least one of said first and second data interface means. 

39. An ASIC device according to claim 37 or 38, further 
comprising data processing means for processing data provided by said 
first and second data interface means in accordance with program 
execution data provided by said control data. 

25 40. An ASIC device according to claim 37, 38 or 39, further 

comprising data storage means, among others for storing said control 
data, said program execution data and authentication data. 
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Abstract 

A data transfer device (10; 70). having first data interface means 
5 (11) for exchanging data with a data processing system (30), second data 
interface means (12) for exchanging data with a user of the data transfer 
device, and control means (20) for controlling data transfer between the 
first and second data interface means (11, 12). The control means (20) 
are configured for receiving control data from the first data interface 
10 means (11) for selectively enabling data exchange between the first and 
second data interface means (11, 12). The control means (20) can be 
configured for enabling part of the first and second data interface means 
(11, 12) for operation in a first or open mode, and for enabling the 
second data interface means (12) for operation in a second or secure mode 
15 of operation. The second data interface means (12) may comprise 
Input/Output (1/0) means (71) for secure data exchange with the first 
data interface means (11) under the control of program execution data 
operative in the data transfer device (10; 70) and comprised by the 
control data. 

20 
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